Re: fragmented ip packets

[Guy Harris <guy () alum mit edu>]

On Nov 23, 2010, at 12:51 AM, Ankith Agarwal wrote:

>  I am trying to filter all the SIP packets using pcap filter on ports of
> 5060 and 5061. But, some of the SIP packets are fragmented in the IP layer
> because of their size (greater than MTU). I wanted to know whether the
> pcap_loop api gives these packets by combinig it, or it just gives the
> last fragment of the packet.

The pcap_loop API gives each *link-layer* packet, as received by the network adapter, that matches the filter.  The 
same is true of all other packet-reading APIs (pcap_dispatch(), pcap_next(), and pcap_next_ex()), as they all run atop 
the same underlying packet capture mechanism.

A fragmented IP datagram has the TCP or UDP header in the first fragment, so if your filter is filtering on a TCP or 
UDP port number, only the *FIRST* fragment will be delivered.  If you want to capture *ALL* fragments, you will either 
need to capture with a filter that doesn't specify a TCP or UDP port number (or anything else in the TCP or UDP 
header), or that specifies "either this port number *OR* not the first fragment", and discard fragments that aren't 
part of an interesting reassembled fragment yourself.

None of the libpcap/WinPcap APIs will reassemble packets for you; you will have to do the reassembly yourself (and 
discard fragments that aren't part of a packet sent to or from the ports you specify).

(This is presumably SIP-over-UDP; if it's SIP-over-TCP or SIP-over-SCTP, the packets are probably "fragmented" at the 
TCP or SCTP layer, not the IP layer.)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.